Traditionally, risk management has been something we do only on occasion. It has been a stopping point or an intermittent activity aimed at proving that the current plans and actions are sufficient to steer clear of trouble.
Lately, and even more so recently with the renewal of the COSO ERM framework and the upcoming new version of ISO 31000, there is a trend towards making risk management an integral part of an organization’s processes and management activities.
To help you understand what «making risk management an integral part of an organization’s processes and management activities» really means, I have made a list of the types of questions that would entice risk management as a relevant tool in any business:
How might customer requirements impact the way we operate?
How might regulatory requirements, and any changes to those, impact the way we are able to operate?
Which threats could impact our projects?
What might threaten the company’s future?
How could our employees, our economy, our ability to deliver products and our reputation be impacted by unforeseen incidents?
Does our activity impact the environment and third persons in a negative way?
Which actions should be taken to avoid risk or loss of values to our company?
Which actions should be taken to improve our results?
How can we repeat successes?
Are there actions which could be taken to improve our product by e.g. making it more relevant, cheaper, increasing the customer base or improving its environmental impact?
How can we develop our work processes to make them more efficient?
Is there any way we can improve the performance of work processes for our employees?
How can we ensure that the systems required by regulation add value to our company?
How can we use the data we collect as basis for new plans and strategies?
How do we prioritize activities?
Are there activities that should be changed or shut down?
How do we ensure that mistakes, incidents and bad practices are used in learning processes?
What do we do if our suppliers don’t perform as well as expected?
As you may have picked up on already, risk management is an activity that can be applicable to many types of processes, hence the trend to implement a risk management approach into existing processes rather than as a separate activity.
Basically risk management is about three things; 1) Navigating the context/environment your company finds itself in, 2) Ensuring that decisions are made on a solid basis of information, and 3) Reaching the objectives that your organization has set out to reach. And remember: If you feel you're not getting results, you might be measuring the wrong data or you may need to change the way you work.